# np.frombuffer(x, dtype=np.uint8), np.frombuffer(y, dtype=np.SniffPass is small password monitoring software that listens to your network, capture Int.from_bytes(y, 'little')).to_bytes(len(x), 'little') You can use this python code to reconstruct the hash: from binascii import hexlify To calculate the client password hash the client uses this formular: SHA1( "rockyou" ) XOR The seed is made up of the two Salt parameters received in the Server Welcome request, rC6%U]Tk and (20 bytes concatenated). To reconstruct the password we received in the Login Request ( e12a39bbf61a19c68413fa57fc65c7af3a86b85f) we need the 20 bytes of random data (the salts) in the server greeting request. SHA1( "20-bytes random data from server" SHA1( SHA1( password ) ) ) The way mysql_native_password is calculating the client password that is sent in the Login Request is using this formular ( documented here): SHA1( password ) XOR MariaDB Extended Client Capabilities: 0x00000005 Our client responds with the Login Request: MySQL Protocol
MariaDB Extended Server Capabilities: 0x00000007 Server Language: latin1 COLLATE latin1_swedish_ci (8) Lets observe a wireshark dump of a mysql_native_password authentication of username "apoc" with the password "rockyou".įirst we receive a MySQL Protocol Server Greeting (using MariaDB 10.3.31): MySQL Protocol I've looked at MySQL documentation and searched the Internet and can't seem to find anything on this. WireShark Login Packet #3: MAX Packet: 16777216 WireShark Login Packet #2: MAX Packet: 16777216 Password: ada5be054b6a9b44eaa0d86e33fb9442e8af7169Ĭlient Auth Plugin: mysql_native_password WireShark Login Packet #1: MAX Packet: 16777216Ĭharset: utf8 COLLATE utf8_general_ci (33)
What's even weirder is the password changes in the packet, each time I log in. The username is in the clear, but the password doesn't equal the hashed password from the database. So, when I capture the packet containing the credentials, I'm expecting to see the username in the clear and the hashed password being passed, but that's not what I see. I've done some digging and I read that the MySQL client hashes the password before sending even when passing unencrypted. I'm in a test environment trying to use Wireshark to capture credentials being passed to MySQL.
0 kommentar(er)
